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^ (57) Abstract: A port blocking method (220) particularly applicable to a system in which protected data is segregated from other 
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O applications using secured data do not imperil the security of secure data. In a preferred embodiment, port blocking method (220) is 
^ implemented in an application resident on the kernel level which monitors port requests and allows limited access to the port based 
^ on whether requesting processes are secure (220). 
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PORT BLOCKING METHOD AND SYSTEM 

Field of the Invention : 

The invention relates to the protection of data stored in a computer, and more 
5 particularly, to data which has been secured and opened by non-secure applications where a 
high level application or operating system component acts to disable certain system resources 
in order to protect the security of data. 

Background of the Invention : 

10 In computer systems, processes may access many system resources, such as serial ports 

or connections to the Internet. In a situation in which secured data is being accessed by a 
non-secured application, a means must be developed by which the non-secured application can 
be restricted from performing operations which might compromise the security of the data. 
It is known to open secure data in a system which is completely isolated from outside 

15 communications, which has no connection to means by which an unsecured application may, 
by accident or sabotage, compromise the secured data. It is also known to open secure data 
with secure applications, which are known to be free from the risk of accident or sabotage that 
would compromise the secured data. These solutions prevent the use of popular software 
applications to open secured data, or the use of a computer which is not disconnected from 

20 outside communications, and thereby are limited in their usefulness. 

Summary of the Invention : 

The invention discloses a port blocking method particularly applicable to a system in 
which secured data is transmitted to a recipient computer for use with non-secured 

25 applications. An illustrative embodiment of the invention comprises performing a security 
check on a process and blocking calls for use of a port if they come from a process using 
secured data. The tracking of secured processes may include determining whether and how 
often a secured process should be allowed to use a port. The security check may include 
determining whether the process is secured by consulting a secured process list and 

30 determining whether the resource should be available to the process requesting use of the 
resource. 

Further disclosed is a port blocking system, secured data transmission system using 
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port blocking, computer-readable medium programmed to block port use, and a computer 
configured to block port use. 

Description of the Drawings : 

5 

The invention is best understood from the following detailed description when read 
with the accompanying figures. 

Figure 1 is an schematic diagram of a computer system operating according to an 
illustrative embodiment of the port blocking method of the invention. 
10 Figure 2 is a flow chart of a port request in a computer system operating according to 

an illustrative embodiment of the port blocking method of the invention. 

Figure 3(a) is a flow chart of a port open request in a computer system operating 
according to an illustrative embodiment of the port blocking method of the invention. 

Figure 3(b) is a flow chart of a port close request in a computer system operating 
15 according to an illustrative embodiment of the port blocking method of the invention. 

Figure 3(c) is a flow chart of a security check in a computer system operating 
according to an illustrative embodiment of the port blocking method of the invention. 

Detailed Description of the Invention : 

20 The invention disclosed prohibits certain processes from utilizing the port resources of 

the computer on which they are running. These may be secured processes for example, ones 
which have opened secure data. In a preferred embodiment of the invention, the status of a 
process as secured is determined by the processes presence on a list of secured processes. 
In a preferred embodiment, as shown in Fig. 1, in a computer 100, a control 

25 application 110 runs on the kernel (ring 0) level 120 and applications 130 run on higher levels 
140. When applications request access to port 150, control application 110 monitors and 
handles these access requests. 

As shown in Fig. 2, in some computer systems, for example, Microsoft Windows NT 
and Windows 2000 operating systems, the port monitoring is able to intercept all port-related 

30 calls. When a port request is initiated 200, control application (110 in Fig. 1) intercepts that 
request, and determines the process id 210. The control application (110 in Fig. 1) in a 
preferred embodiment accesses a list of processes that are not allowed to open a port. The 
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process id is used to determine whether the process is secure (not allowed to open a port) 220. 
If it is secure, the request is blocked at 230. If it is not secure, then the request is passed on to 
the port 250. 

As shown in Fig. 3(a), in some computer systems, for example, Microsoft Windows 95 
5 and 98 operating systems, the port monitoring is able to intercept only open and close calls. 
In order to ensure that a process which has access to a port does not then become a secure 
process, a check must be performed on any process which is to become secure. When an open 
port request is initiated 300, control application (110 in Fig. 1) intercepts that request, and 
determines the process id 310. The control application (HOinFig. l)ina preferred 
10 embodiment accesses a list of processes that are not allowed to open a port. The process id is 
used to determine whether the process is secure (not allowed to open a port) 320. If it is 
secure, the request is blocked, 330, and the call is tracked 340. If it is not secure, then the 
request is passed on to the port and the process ID and port handle are tracked 350. 

As shown in Fig. 3(b), when a close port request is initiated 360, control application 
15 (110 in Fig. 1) intercepts that request, and completes the call 362. Then the process ID and 
port handle is removed from the database of tracked open ports 364. 

In addition to these operations on open port and close port requests, as shown in Fig. 
3(c), when a process undergoes the security check which determines whether it will be 
secured, 370, its process id is checked against the database of tracked open ports 372. If the 
20 process has open ports, the process may not be made secure and the security check fails 374, 
and the security check is completed 376. If the process does not have open ports it will pass 
the security check and the process id will be added to the list of secured processes 378. 

A further illustrative embodiment of the invention is directed to a port blocking system 
wherein certain processes are restricted from using a port, according to the methods provided 
25 herein. Further disclosed is a secured data transmission system having a port blocking 

component to prohibit certain processes from using a port according to the methods provided 
herein. Still further disclosed is a computer-readable medium programmed to block port use 
according to the methods provided herein. Still further disclosed is a computer configured to 
include a port blocking system to block certain processes from using a port according to the 
30 methods provided herein. 

The terms "computer", "computer system", or "system" as used herein should be 
broadly construed to include any device capable of receiving, transmitting and/or using 
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information including, without limitation, a processor, microprocessor or similar device, a 
personal computer, such as a laptop, palm PC, desktop or workstation, a network server, a 
mainframe, an electronic wired or wireless device, such as for example, a telephone, an 
interactive television, such as for example, a television adapted to be connected to the Internet 

5 or an electronic device adapted for use with a television, a cellular telephone, a personal 
digital assistant, an electronic pager, and a digital watch. In an illustrative example, 
information is transmitted in the form of e-mail. Further, a computer, computer system, or 
system of the invention may operate in communication with other systems over a network, 
such as, for example, the Internet, an intranet, or an extranet, or may operate as a stand-alone 

10 system. 

Whiie the invention has been described by illustrative embodiments, additional 
advantages and modifications will occur to those skilled in the art. Therefore the invention in 
its broader aspects is not limited to specific details shown and described herein. Modifications 
may be made without departing from the spirit and scope of the invention. Accordingly, it is 
15 intended that the invention not be limited to the specific illustrative embodiments but be 
interpreted within the full spirit and scope of the appended claims and their equivalents. 
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[I / We] claim: 



1. A port blocking method for securing data comprising: 

a port request detection step of detecting a port request for use of a port sent by a 
5 process; 

a process identification step of determining the identity of said requesting process; 
a process check step of determining if said process should be permitted to access said 
port; and 

a permit/deny step of allowing said port request to be fulfilled if said process should be 
10 permitted to access said port and denying said port request if said process should not be 
permitted to access said port. 



2. The method of claim 1 where said process check step comprises: 

a secure process list check step of determining whether said process appears on a list of 
1 5 secure processes . 



3. A port blocking method for securing data comprising: 

a port request detection step of detecting a port request for use of a port sent by a 
process; 

20 an open port process identification step of, if said port request is an open port request, 

determining the identity of said requesting process; 

an open port process check step of, if said port request is an open port request, 
determining if said process should be permitted to open said port; 

an open port permit/deny step of, if said port request is an open port request, allowing 
25 said open port request to be fulfilled and tracking said open port request if said process should 
be permitted to open said port and denying said port request if said process should not be 
permitted to open said port; 

a close port process completion step of, if said port request is a close port request, 
completing said port request; and 
30 a close port logging step of, if said port request is a close port request, logging the 

closing of said port. 
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4. The method of claim 3 where said open port process check step comprises: 

a secure process list check step of determining whether said process appears on a list of 
secure processes. 

5 5. The method of claim 3 where said tracking of said open port request comprises 

keeping a log of process ID and returned port handle for said open port request, and said close 
port logging step of tracking the closing of said port comprises removing from said log said 
record of process ID and returned port handle for that port close request. 

10 6. The method of claim 5 further comprising: 

a security check step comprising the steps of checking whether a process has open 
ports, and denying security clearance for a process with open ports, and allowing security 
clearance for a process with no open ports. 

15 7. The method of claim 6 where said open port process check step of comprises 

determining if said process identity appears on a secured process list, and where said step of 
allowing security clearance for a process with no open ports comprises the step of placing said 
process on said secured process list. 



20 8. A port blocking system wherein said port blocking system operates to detect a port 
request for use of a port sent by a process; determine the identity of said requesting process; 
determine if said process should be permitted to access said port; and allow said port request 
to be fulfilled if said process should be permitted to access said port and deny said port request 
if said process should not be permitted to access said port. 

25 

9. A port blocking system wherein said port blocking system operates to detect a port request 
for use of a port sent by a process; if said port request is an open port request, determine the 
identity of said requesting process; if said port request is an open port request, determine if 
said process should be permitted to open said port; if said port request is an open port request, 
30 allow said open port request to be fulfilled, track said open port request if said process should 
be permitted to open said port, and deny said port request if said process should not be 
permitted to open said port; if said port request is a close port request, complete said port 
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request; and if said port request is a close port request, log the closing of said port. 

10. A secured data transmission system having a port blocking system which operates to 
detect a port request for use of a port sent by a process; determine the identity of said 

5 requesting process; determine if said process should be permitted to access said port; and 
allow said port request to be fulfilled if said process should be permitted to access said port 
and deny said port request if said process should not be permitted to access said port. 

11. A secured data transmission system having a port blocking system which operates to 
10 detect a port request for use of a port sent by a process; if said port request is an open port 

request, determine the identity of said requesting process; if said port request is an open port 
request, determine if said process should be permitted to open said port; if said port request is 
an open port request, allow said open port request to be fulfilled, track said open port request 
if said process should be permitted to open said port, and deny said port request if said process 
15 should not be permitted to open said port; if said port request is a close port request, complete 
said port request; and if said port request is a close port request, log the closing of said port. 

12. A computer comprising a communications port and configured to protect secure data 
by including a port blocking system which operates to detect a port request for use of a port 

20 sent by a process; determine the identity of said requesting process; determine if said process 
should be permitted to access said port; and allow said port request to be fulfilled if said 
process should be permitted to access said port and deny said port request if said process 
should not be permitted to access said port. 

25 13. A computer comprising a communications port and configured to protect secure data 
by including a port blocking system which operates to detect a port request for use of a port 
sent by a process; if said port request is an open port request, determine the identity of said 
requesting process; if said port request is an open port request, determine if said process 
should be permitted to open said port; if said port request is an open port request, allow said 

30 open port request to be fulfilled, track said open port request if said process should be 

permitted to open said port, and deny said port request if said process should not be permitted 
to open said port; if said port request is a close port request, complete said port request; and if 
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said port request is a close port request, log the closing of said port. 

14. A computer-readable medium programmed to protect secure data by implementing a 
port blocking system which operates to detect a port request for use of a port sent by a 
5 process; determine the identity of said requesting process; determine if said process should be 
permitted to access said port; and allow said port request to be fulfilled if said process should 
be permitted to access said port and deny said port request if said process should not be 
permitted to access said port. 

10 15. A computer-readable medium programmed to protect secure data by implementing a 
port blocking system which operates to operates to detect a port request for use of a port sent 
by a process; if said port request is an open port request, determine the identity of said 
requesting process; if said port request is an open port request, determine if said process 
should be permitted to open said port; if said port request is an open port request, allow said 

15 open port request to be fulfilled, track said open port request if said process should be 

permitted to open said port, and deny said port request if said process should not be permitted 
to open said port; if said port request is a close port request, complete said port request; and if 
said port request is a close port request, log the closing of said port. 

20 
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